Registration and login

This part will show you how you build a simple login form and a simple registration form.

Activate security stuff

To use all the security stuff and the default password and username provider it has to be activated in the Settings.yaml

The authenticationStrategy is oneToken here, that means that ne Token has to be authenticated to grant access.

The default provider for the authentication is PersistedUsernamePasswordProvider. This authentication provider is shipped with Flow. Here you can also add your own provider if you want to.


Define your Role in Policy.yaml

To make the role work it has to be defined in the Policy.yaml. In our case, the role is called Visitor, so the role in the Policy.yaml has to be called Visitor too.


First of all we create a new Controller called Login. This controller will handle all stuff that has to do with the login and the registration.

Interesting lines are explained below and marked in the source code:

Line 16 and 22: We need some help from Flow here. So we inject the authenticationManager and the accountRepository here.

Line 27 (50): indexAction and the registerAction have nothing to do here. They should only display the required forms.

Line 35: The authenticateAction validates the credentials the user entered. We use the authenticationManager to do this. The authenticationManager requires the parameter in the correct written way but we take a look at this when we create the template for the login form.


Line 62,63:On this lines we set the default role for the registered person. In the next line we set a random salt to make the password a little bit more secure. If you want to make it some more secure, use a function that generates a random string here. The string is added to the end of the password and FLOW3 knows how to calculate the password to have a correct comparison later.

Line 65-71: We check if the username has a miminum length of 3 and if the passwords that have been entered match.

Line 72: We use the object manager to create a new account. We also set the username and the password here. The last parameter is the default role for the account.

Line 73: We add the user to the account repository.

Registration form

Now we add the registration form. It is a simple form with username and password and a second password to make sure that the password was entered correctly.

Login / Logout form

The login form and the logout link. Here we call the authenticate action that is described above. We don’t check the username and password by ourself. Flow is checking this for us. That this works we need to name the arguments (username, password) in the correct way, so that Flow knows where to look.

In this form you can also see how you can use the roles later. We have an f:security ViewHelper that checks if there is a user logged in and if the role matches. If there is a user logged in that has the role Visitor, we display the logout link, if not, we display the login form.

Below the login form I added the link to the user registration.

If you call the login controller now, you should see the login form. If you have successfully registered and logged in, the login form should disappear and you should see only the link to logout.

Access the data of a logged in user

To access the data of a logged in user you have to extend the controller. Just add the security context and inject it. See the snippet below for more information.



4 thoughts on “Registration and login

  1. R.D.

    What is the correct location for the Policy.yaml in this case? I can’t seem to get it right.. Thanks in advance!

      1. phallin

        Thank you for your valuable post! 🙂
        However, I also got the same problem as R.D . I could not create the account because the role that defined in policy.yaml not get synchronized into the database unless we run doctrine:migrate.

        1. Ralf

          If you call

          ./flow security:showeffectivepolicy any_role

          The roles will be updated inside the database

Comments are closed.